Threat actors associated with the Play ransomware operation have recently taken advantage of a zero-day vulnerability in Microsoft Windows, exploiting it before a patch was released on April 8, 2025. This vulnerability, identified as CVE-2025-29824, specifically impacts the Windows Common Log File System (CLFS) driver, granting attackers the ability to elevate their privileges from standard user to full system access.
The Symantec Threat Hunter Team has reported that the Play ransomware group, also known by aliases such as Balloonfly or PlayCrypt, targeted an unnamed organization within the United States. The attackers likely gained initial access through a public-facing Cisco Adaptive Security Appliance (ASA).
Interestingly, while no ransomware payload was deployed during this intrusion, the attackers utilized a custom information-stealing tool named Grixba, which has been previously linked to the Play ransomware operation.
Microsoft’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have attributed this exploitation activity to a threat group known as Storm-2460, which is recognized for deploying the PipeMagic malware in its ransomware campaigns. The targets of this operation spanned various sectors, including information technology and real estate in the United States, the financial sector in Venezuela, a software company in Spain, and the retail sector in Saudi Arabia.
Exploitation of Windows 0-Day Vulnerability
According to Microsoft, “Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access into privileged access.” The vulnerability received a CVSS score of 7.8, categorized as High, and was addressed in Microsoft’s April 2025 Patch Tuesday updates, which resolved a total of 121 vulnerabilities.
Technical analysis of the incident revealed a sophisticated attack chain. The vulnerability resides within the CLFS kernel driver and allows attackers to exploit a use-after-free condition. During the execution of the exploit, attackers created files in the path C:ProgramDataSkyPDF, which included a DLL that was injected into the winlogon.exe process. This maneuver enabled them to extract credentials from LSASS memory using tools like Sysinternals’ procdump.exe, create new administrator users, and establish persistence within the system.
The Play ransomware group, active since June 2022, is notorious for employing double-extortion tactics, where sensitive data is exfiltrated before encryption occurs. They have previously developed custom tools like Grixba, which have been cleverly disguised as legitimate security software, including counterfeit applications resembling those from SentinelOne and Palo Alto Networks.
Researchers have noted that while ransomware actors typically refrain from using zero-day vulnerabilities, this incident signifies an escalation in their operational capabilities. Organizations are strongly encouraged to apply the security updates released on April 8, 2025, particularly for systems running vulnerable versions of Windows. Notably, Microsoft has indicated that customers operating Windows 11 version 24H2 are not affected by this vulnerability due to pre-existing security mitigations.
This incident serves as a reminder of the ongoing evolution of ransomware tactics and underscores the critical importance of timely patching, especially for vulnerabilities that facilitate privilege escalation, which are integral components in ransomware attack chains.
IoC’s
Here’s a table of Indicators of Compromise (IoCs) linked to the Play ransomware campaign exploiting CVE-2025-29824:
| Hash | Filename | Description | Detection/Malware Name |
|---|---|---|---|
| 6030c4381b8b5d5c5734341292316723a89f1bdbd2d10bb67c4d06b1242afd05 | gt_net.exe | Grixba infostealer tool | Infostealer.Grixba1 |
| 858efe4f9037e5efebadaaa70aa8ad096f7244c4c4aeade72c51ddad23d05bfe | go.exe | CVE-2025-29824 exploit binary | N/A1 |
| 9c21adbcb2888daf14ef55c4fa1f41eaa6cbfbe20d85c3e1da61a96a53ba18f9 | clssrv.inf | DLL injected into winlogon.exe | Exploit payload1 |
| 6d7374b4f977f689389c7155192b5db70ee44a7645625ecf8163c00da8828388 | cmdpostfix.bat | Artifact cleanup script | Malicious batch file1 |
| b2cba01ae6707ce694073018d948f82340b9c41fb2b2bc49769f9a0be37071e1 | servtask.bat | Privilege escalation/user creation script | Malicious batch file1 |
| 293b455b5b7e1c2063a8781f3c169cf8ef2b1d06e6b7a086b7b44f37f55729bd | paloaltoconfig.dll | Masqueraded Palo Alto Networks tool | Unknown malicious DLL1 |
| af260c172baffd0e8b2671fd0c84e607ac9b2c8beb57df43cf5df6e103cbb7ad | paloaltoconfig.exe | Masqueraded Palo Alto Networks tool | Unknown malicious EXE1 |
| 430d1364d0d0a60facd9b73e674faddf63a8f77649cd10ba855df7e49189980b | 1day.exe | Suspected exploit-related utility | Unknown malicious EXE1 |
Tax Scams Are Getting Smarter – Check Malicious Domains With Domain Research Suite
